Call Girls In Panjim North Goa 9971646499 Genuine Service
ACS-2010
1. SCADA and Control Systems Security Group (SCADASEC) Findings
2010 Applied Control Systems (ACS) Conference
September 20-23, 2010
Bob Radvanovsky, CIFI, CISM, CIPS
Jacob Brodsky, PE
Enumerating and Validating
ICS Devices
Creative Commons License v3.0. 1
2. Who and what is
“Infracritical”?
• Leading industry and business in Critical
Infrastructure Protection (CIP).
– Provides guidance and direction to both public and private
sectors through information sharing and ‘best practices’.
– Established open public discussion forums on current and
relevant topics and affairs.
– Defines strategic vision of ‘future thought’ in infrastructure
development and support.
• Liaisons government and industry strategies.
• Sponsor and founder of the SCADASEC e-mail list.
2
3. Presentation Agenda
• Outline results from ‘The Gathering’ (May 2010).
• Reasons for having ‘The Gathering’.
• Latest projects:
– Enumerate and validate industrial automation/control
systems devices (fingerprint).
– Catalog based on genus, manufacturing type, make, model,
and results found into a centralized data repository.
– Allow for variances of information found ‘in the wild’.
– Enumeration is utilized using ‘open source’ security tools.
– Currently performing validation tests against the
Hirschmann ICS firewall (Hirschmann EAGLE TX/TX).
3
4. Outline Results from
‘The Gathering’ (May 2010)
• Established in May, 2010, ‘The Gathering’ provided a
common ground for representation from commercial
interests, academia and law enforcement.
• Discussed security concepts, issues and vulnerabilities
with ICS equipment that was brought and shared.
• Discussed and shared engineering methods to
improve performance of said equipment, both
operationally and securely.
4
5. Reasons for Having
‘The Gathering’
• Need based on a “show ‘n tell” principle.
• Allows participants to see, work and handle ICS
equipment that would otherwise not be possible.
• Allow and share ideas, concepts, ideologies between
participants.
• Discuss methods of improvement of performance of
shared ICS equipment.
• Write recommendations for manufacturers.
5
6. Other Discoveries
• We are limiting public discussion on these discoveries.
• Schweitzer SEL-3620:
– SSL interface survived the overnight assault from the Mu
Dynamics fuzzer device.
– No problems found.
• Another popular industrial switch TELNET interface:
– 158 problems found.
• Write recommendations for manufacturers.
6
7. Project ‘Enlightenment’
• Validate CSET/CS2SAT network maps.
• Develop and exercise controlled methods of
enumerating ICS equipment and appliances.
• Acquire intelligence from ICS equipment supplied
from ICS owner-operators and private donators.
• Enumerate through several methods:
– IT protocols: HTTP/HTTPS, SSH, SSL certificates, SNMP, etc.
– control system protocols: Modbus, Profibus, DNP, EthernetIP, etc.
7
8. Project ‘NINJA’
Network INtelligence Joint Analysis
• Catalog intelligence acquired from ‘The Gatherings’
and from ‘Enlightenment’.
• Centralize data repository for public viewing (vetted).
• Provide sensitive intelligence for dissemination
through encrypted methods.
– encrypted email (automatic)
– encrypted web portal(s)
• Website: www.thinklikeninja.com
8
9. Current Enumeration:
Hirschmann EAGLE TX/TX
• One of the more recognized industrial
automation firewalls.
• Hirschmann Automation and Control (HAC)
GmbH acquired by Belden Inc. (formerly
Belden Wire & Cable, Inc.) in 2007.
• Hirschmann EAGLE and EAGLE mGuard
firewalls’ software written by Innominate
Security Technologies.
• Innominate Security Technologies acquired
by Phoenix Contacts, Inc. in 2008.
image is actual model of device tested
9
10. Hirschmann Enumeration:
Discoveries Found with Firewall
• Actual software from Hirschmann ICS firewall was
written by Innominate Security Technologies.
• Software from Innominate can interchangeably be
used between Hirschmann and Innominate versions.
• Software and firmware would be synchronized.
• Software after v4.2.3 required a ‘license upgrade’
(even though we had updates up to v7.0.1).
• Firmware after v4.2.3 had similar requirements.
10
11. Hirschmann Enumeration:
Discoveries Found with Firewall
• Actual ICS
screen shot.
• Tests were
performed
against two
(2) firewalls.
• Firewall #1:
Innominate
• Firewall #2:
Hirschmann
11
12. Hirschmann Enumeration:
Discoveries Found with Firewall
• F/W v3.0.1 (and including v3.1.1) caused ARP tables
to be dropped during ‘normal’ port scans, requiring
multiple attempts to connect to the firewall.
• F/W v4.0.4 (and higher) did not drop ARP tables.
• However -- F/W v4.0.4 while attacked using a
vulnerability scan, produced inconsistent
fingerprinting results, in most cases, no fingerprint.
• NMAP (as of v5.35DC1) thinks Hirschmann is a
wireless access point / wireless router.
12
13. Hirschmann Enumeration:
Discoveries Found with Firewall
Partial output is from the following syntax: nmap -sS -v -O 1.1.1.1 –T3 -PN –v
Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-09-16 19:15 CDT
…
Device type: WAP|specialized|print server|storage-misc|general purpose|broadband
router|firewall, Running (JUST GUESSING) : Linux 2.4.X|2.6.X (98%), HP embedded
(94%), Netgear RAIDiator 4.X (94%), MontaVista Linux 2.4.X (94%), Actiontec
embedded (93%), Fortinet embedded (91%), Google embedded (91%)
OS fingerprint not ideal because: Timing level 3 (Normal) used
Aggressive OS guesses: DD-WRT v23 (Linux 2.4.36) (98%), Linux 2.4.21 (embedded)
(95%), DD-WRT v23 (Linux 2.4.34) (95%), HP 4200 PSA (Print Server Appliance)
model J4117A (94%), Netgear ReadyNAS Duo NAS device (RAIDiator 4.1.4) (94%),
MontaVista embedded Linux 2.4.17 (94%), Actiontec GT701 DSL modem (93%), Linux
2.4.20 (92%), Fortinet FortiGate-60B or -100A firewall (91%), Google Mini search
appliance (91%)
No exact OS matches for host (test conditions non-ideal).
…
13
14. Hirschmann Enumeration:
Discoveries Found with Firewall
• Ports open on INTERNAL network interface include:
- 22 (SSH), 53 (DNS), 443 (HTTPS) and 1720 (H.323)
• Enumeration utilized for device included testing from:
- SNMP and HTTPS connections
- Enumeration method utilizes an ‘open source’ tool.
- One tool that will be heavily utilized is NMAP v5 (and newer).
- NMAP (as of Version 4) allows integration of a scripting language.
- The NMAP Scripting Engine (NSE) utilizes the LUA language
(www.lua.org) and tailors the code (www.nmap.org/nsedoc).
- Over 150 (and growing) common scripts available from Insecure.
14
15. Hirschmann Enumeration:
Discoveries Found with Firewall
• During one vulnerability scan, NMAP had difficulties fingerprinting
its operating system (it is running an embedded Linux v2.4.36).
• Device is currently available for evaluation for the general public.
• Access has been granted to the INTERNAL network interface.
• Use the command-line (CLI) version of NMAP – Mac and
UNIX/Linux versions appear to work better with NSE script.
• Script written specifically for enumerating the Hirschmann.
• Script is currently in ‘draft mode’, and is being finalized.
• Current version of enumeration script is ‘mguard-10091201.nse’.
15
16. Hirschmann Enumeration:
Discoveries Found with Firewall
If the Hirschman EAGLE mGuard TX/TX enumeration script is utilized, output will look something like this:
# nmap --script=./mguard-10091201.nse 1.1.1.1 -PN
Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-09-17 12:48 CDT
Nmap scan report for xxx (1.1.1.1)
Host is up (0.0096s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
443/tcp open https
| mguard-10091201: CONFIRM DEVICE AS HIRSCHMANN / INNOMINATE
| ** IF YOU REQUIRE MORE INFO, USE THE "-v" OPTION
| ............Flash ID : 420401db459c83e7 NOTE the flash ID number;
|_............Manufacturer of device : Hirschmann ID obtained via SSL certificate.
1720/tcp filtered H.323/Q.931
Nmap done: 1 IP address (1 host up) scanned in 2.62 seconds
16
17. Hirschmann Enumeration:
Discoveries Found with Firewall
If the verbose feature of the Hirschman EAGLE mGuard TX/TX enumeration script is utilized:
# nmap --script=./mguard-10091201.nse 1.1.1.1 –PN –v
Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-09-17 10:24 PDT
NSE: Loaded 1 scripts for scanning.
Initiating Parallel DNS resolution of 1 host. at 10:24
Completed Parallel DNS resolution of 1 host. at 10:24, 0.06s elapsed
Initiating Connect Scan at 10:24
Scanning xxxx (1.1.1.1) [1000 ports]
Discovered open port 53/tcp on 1.1.1.1
Discovered open port 22/tcp on 1.1.1.1
Discovered open port 443/tcp on 1.1.1.1
Completed Connect Scan at 10:24, 5.62s elapsed (1000 total ports)
NSE: Script scanning 1.1.1.1.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 10:24
Completed NSE at 10:25, 6.06s elapsed
...
17
18. Hirschmann Enumeration:
Discoveries Found with Firewall
(continued from p.17)
Nmap scan report for xxx (1.1.1.1)
Host is up (0.096s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
443/tcp open https
| mguard-10091201: CONFIRM DEVICE AS HIRSCHMANN / INNOMINATE
| ** PHASE 1: TLS/SSL certificate verification
| ....Step 1: SSL certificate info : CONFIRMED
| ....Step 2: SSL certificate MD5 hash information
| ............Flash ID : 420401db459c83e7
| ............Organization name : Hirschmann Automation and Control GmbH
| ............SSL certificate MD5 : c93063872150383b879a69f65ab6d7e5
| ............SSL certificate version: 4.2.1 or newer
18
19. Hirschmann Enumeration:
Discoveries Found with Firewall
(continued from p.18)
| ** PHASE 2: File presence verification
| ....Step 1: Existence of "/favicon.ico"
| ............File favicon.ico MD5 : 7449c1f67008cc3bfabbc8f885712207
| ............Server type/version : 4.2.1 or newer
| ....Step 2: Existence of "/gai.js"
| ............File gai.js MD5 : e7696a86648dcdb6efb2e497e5a8616b
| ............Server type/version : 4.2.1
| ....Step 3: Existence of "/style.css"
| ............File style.css MD5 : d71581409253d54902bea82107a1abb2
| ............Server type/version : 4.2.1
| ** PHASE 3: HTML pattern matching verification
| ....Step 1: Confirmation of HTML code per version
| ............HTML code verified : CONFIRMED
| ............HTML code variant : Hirschmann
| ....Step 2: Confirmation web server verification
| ............Web server verified : CONFIRMED
| ............Web server name/type : fnord
| ............Web server version : 1.6
19
20. Hirschmann Enumeration:
Discoveries Found with Firewall
(continued from p.19)
| ** PHASE 4: Documentation
| ....Step 1: Documentation exist? : YES
|.............xxxxxxxxx.xxx/xxxxx/xxxxxx/hirschmann/UM_BAT54_SW_Rel754_en.pdf
|_............xxxxxxxxx.xxx/xxxxx/xxxxxx/hirschmann/UM_EAGLE_401_EN.pdf
Read data files from: /usr/local/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 13.02 seconds
20
21. Hirschmann Enumeration:
Discoveries Found with Firewall
The following is a sample taken from the startup log while connected to the console:
...
Using /lib/modules/2.4.25-mg-4.10.1/kernel/drivers/i2c/i2c-adap-ixp425.o
Using /lib/modules/2.4.25-mg-4.10.1/kernel/drivers/mguard/max6625.o
Warning: loading max6625 will taint the kernel: non-GPL license – Proprietary
See http://www.tux.org/lkml/#export-tainted for information about tainted modules
Using /lib/modules/2.4.25-mg-4.10.1/kernel/drivers/mguard/power.o
Warning: loading power will taint the kernel: non-GPL license – Proprietary
Eagle: PHY sysctl directory registered.
See http://www.tux.org/lkml/#export-tainted for information about tainted modules
...
Thoughts about this?
21
22. Hirschmann Enumeration:
Summary of the Unit
• This unit allows secured side to configure firewall.
- Cross site scripting (XSS) and session hijacking vulnerable.
- Malware that gets inside secured networks can still cause damage.
- Other propagation methods for malware include USB, VLAN
attacks/mistakes, operator errors, crossed cables, etc.
- Need out-of-band commands of the firewall.
• Licensing problems could make unit a deliberate target.
• ARP table ought to have hard-wired option.
• Not a stateful firewall; not aware of industrial protocols.
22
23. One More Thing…
Interesting Coincidence?
• At the time of writing this presentation, the firewall was
probed from several IP addresses from China; one of them is
shown below:
2000-01-01_15:59:37.81412 user.debug: Jan 1 15:59:37 kernel: br0.0001: add 01:00:5e:00:00:01 mcast
address to master interface
2000-01-01_15:59:38.62232 auth.info: Jan 1 15:59:38 sshd[10730]: Did not receive identification
string from 202.116.160.75
2000-01-01_16:01:37.07397 user.debug: Jan 1 16:01:37 kernel: br0.0001: del 01:00:5e:00:00:01 mcast
address from master interface
2000-01-01_16:01:37.33267 user.info: Jan 1 16:01:37 kernel: IPSEC EVENT: KLIPS device ipsec0 shut
down.
• Here’s the WHOIS information for this IP address:
inetnum: 202.116.160.0 - 202.116.175.255
netname: SCAU-CN
descr: ~{;*DOE)R54sQ'~}
descr: South China Agricultural University
descr: Guangzhou, Guangdong 510642, China
country: CN
23
24. Next Gathering:
• Mu Dynamics has been very supportive.
• Location and time.
• SCADA CYBER SECURITY WORKSHOP
November 3-4, 2010, Southern Methodist University, Dallas, TX
• http://www.nacmast.com/scada-workshop-registration
• Continue “Enlightenment” and “NINJA” programs.
• Introduce and educate next generation of SCADA security specialists.
• Gather data on other user-provided devices.
• Work on CSET validation software.
• Discuss theoretical and practical issues with devices we test.
24
25. Conclusion
• Combined between ‘The Gatherings’ and intelligence
gathered from/through enumeration and validation tests,
we feel that there will be more to come … much more.
• So far, we have a small suite of scripts for the following:
• Hirschmann Automation Control GmbH (HAC)
• Allen-Bradley (aka Rockwell)
• Rockwell Automation
• Siemens
• Electro Industries / Gaugetech (EIG)
25
26. Questions?
Bob Radvanovsky, (630) 673-7740
rsradvan@infracritical.com
Jacob Brodsky, (443) 285-3514
jbrodsky@infracritical.com
Creative Commons License v3.0. 26